WindowSecurity.com - Monthly Newsletter - May 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, Enterprise Security MVP), Technical Services Director for Celestix Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

This month, two important security reports are available – the Verizon 2014 Data Breach Investigations Report and the Microsoft Security Intelligence Report Volume 16. Each of these reports includes valuable information about current attack methods and exploit trends. Armed with this knowledge and insight, security administrators can use this information to better prepare a defense strategy and focus on mitigating the common attack vectors being employed by successful attackers. Each report contains unique perspectives on the current threat landscape and attack motives, and I would encourage every security administrator to download these reports and review them as soon as possible. You’ll find the details eye-opening, and in spite of myriad ways in which an attacker can successfully penetrate your defenses, the majority of attacks follow a familiar and common pattern and leverage similar techniques and attack vectors. Paying careful attention to these in your own environment can yield immediate, positive results and improve your security posture immensely.

--Rich

Verizon 2014 Data Breach Investigations Report

The Annual Verizon Data Breach Investigations Report (DBIR) is always a fascinating read. Using information gathered from assisting enterprise customers around the world who have suffered a data breach, the information contained in this report always provides valuable insight into current attack methods. What makes this report so compelling is that these attacks aren’t just hypothetical; these are real, successful attacks that result in full compromise and data theft. This year’s report focuses around common incident patterns, and interestingly enough, of the 1,367 confirmed data breaches and 63,437 security incidents that the report is based on, nearly 95% involve just nine basic attack patterns. The majority of attacks are from external actors. To me, this is not surprising. However, if you’ve spent any time walking the floor of the expo hall at a security conference, you know that security vendors like to play up the insider threat. Certainly the insider threat is a challenging one, but the data indicates that the bulk of attacks still come from the outside. This year’s report also shows that attacks and data breaches are increasingly the result of cyber espionage, while the financial motive is in slight decline. I believe this might be due to sample set skew, with more government agencies supplying data for the report. Rest assured, money is still the primary motivating factor behind the vast majority of attacks today, and that will not change any time soon.

Hacking still accounts for most successful attacks, with malware and social engineering following close behind. The primary asset targeted by attackers is still the server, with this year’s report showing a decline in the number of successful attacks against user devices and networks. Considering this, now might be a good time to review network access for your servers. I’ve been involved with network security for quite some time now, and I’m amazed at how often I see edge firewalls configured with ACLs that allow entire networks (which include server segments) to access the public Internet. Disturbingly, the report shows that the time to compromise for an attacker is falling, while the time to discovery, although getting better, is not improving at the same rate. This means that attackers are becoming more efficient, and are more quickly able to penetrate our defenses. Security administrators are falling behind in this regard, which is not a good trend, obviously. It does appear that we’re doing a better job of identifying successful attacks, however. This is a good trend, as in the past, it was more common to be notified of a data breach by law enforcement or a third party.

The report goes on to provide detailed, in-depth analysis of each of the nine common attack patterns – point-of-sale intrusions, web application attacks, insider/privilege misuse, physical theft and loss, miscellaneous errors, crimeware, payment card skimmers, espionage, and Denial-of-Service (DoS) attacks. For each attack vector they provide recommendations for controls to mitigate each attack.

Microsoft Security Intelligence Report Volume 16

The Microsoft Security Intelligence Report (SIR) Volume 16 differs from the Verizon DBIR in that it focuses on the current global threat landscape of exploits, vulnerabilities, and malware using data gathered from their extensive online presence (Bing, Outlook.com, etc.) and opt-in telemetry from over 600 million computers around the world. SIR Volume 16 includes insight from data gathered from July to December 2013 (2H13) and indicates that overall, vulnerability disclosures are on the rise from recent history. Data shows that the majority of software vulnerabilities are with non-Microsoft software, indicating that their efforts to strengthen security in the core operating system and improve malware resistance are paying off. In this regard, attackers are focusing on softer, easier targets; third-party software installed on Windows PCs. The report provides detail about malware encounters and infections, which helps illuminate the effectiveness of security measures in place on the system. Java is still the most common attack vector, accounting for the majority of malware encounters in the wild. Common Windows exploits continue to be CVE-2010-2568, which is a vulnerability in Windows Shell that came to light when Stuxnet was discovered. This vulnerability was addressed in 2010 with MS10-046. Conficker is still quite prevalent in spite of the fact that this vulnerability was addressed in 2008 with MS08-067. I find it depressing that two of the most common and actively exploited vulnerabilities have been patch for at least four years, and six years in the case of Conficker.

Infection rates by operating system version continue to show downward trends for the most recent Microsoft operating systems. The data in the report is normalized, so the comparisons are valid and not skewed due to adoption rate. Again, Microsoft’s effort in improving malware resistance are evident here. On a positive note, 75% of computers worldwide are always protected, which is another good trend.


Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!

Microsoft Security Bulletins for May 2014

For the month of May, Microsoft released 8 security bulletins addressing 13 vulnerabilities. 2 bulletins are rated as critical and 6 are rated as important. Affected software includes .NET Framework, all supported versions of Windows, Internet Explorer, Office, and SharePoint. For more information about May’s security bulletins click here. Microsoft also released a few important security advisories, including Security Advisory 2871997 to improve credential protection and management in operating systems prior to Windows 8.1/ Server 2012 R2 (these features are already included in Windows 8.1 and Server 2012 R2). This update adds protection for the Local Security Authority (LSA) to reduce credential theft. Security Advisory 2960358 is an update for disabling RC4 in .NET Transport Layer Security (TLS), and Security Advisory 2962824 is an update rollup of revoked digital signatures for non-compliant UEFI modules.

Security Articles of Interest

  1. The Internet and especially the security community is still reeling this month from the revelation of the recently discovered OpenSSL vulnerability “Heartbleed”. Collectively, many realized that this project, which provides vital security to much of the Internet infrastructure, was severely underfunded and understaffed. Microsoft, along with the Linux Foundation, Amazon, Dell, Google, and others are planning to provide funding for this group, which will bring much needed resources for this critical security component.

    http://threatpost.com/group-backed-by-google-microsoft-to-help-fund-openssl-and-other-open-source-projects/105672
     
  2. A serious 0-day vulnerability in Microsoft’s Internet Explorer was discovered recently. Microsoft released a security advisory and issued an out-of-band update to address the flaw. Although Windows XP is no longer supported, Microsoft chose to make the update available to XP users, due in part to the severity of the vulnerability and the timing of the release, which occurred such a short time after support ended.

    https://technet.microsoft.com/en-US/library/security/2963983
    https://technet.microsoft.com/en-us/library/security/MS14-021

  3. Although Microsoft Windows operating systems and applications are not affected by the Heartbleed OpenSSL vulnerability directly, it turns out that Windows 8.1 is, indirectly. Windows 8.1 ships with several third-party VPN clients included, one of which was apparently affected by Heartbleed. This security advisory and update is for the Juniper Networks Junos Pulse client.

    https://support.microsoft.com/kb/2962393

  4. Microsoft recently updated two white papers on software supply chain security and critical infrastructure protection. You can read more about them and download them here:

    http://blogs.technet.com/b/security/archive/2014/05/06/revised-cybersecurity-papers-on-supply-chain-security-and-critical-infrastructure-protection.aspx

  5. Is Anti-virus software dead? You might be surprised to know that executives from Symantec shared those sentiments in a recent article in The Wall Street Journal. There’s no question that AV software is an essential component in an overall defense-in-depth strategy. Yes, it might be antiquated, but it’s not dead by a long shot. It certainly has been commoditized, much like URL filtering in edge security gateways. Still, it’s not something you’d want to do without.

    http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/

  6. Did you know that if you’re running Windows 8.1, you have to install Windows 8.1 Update to continue receiving updates? Many don’t! In fact, Microsoft has already pushed back the deadline to install this update to 30 June. If you haven’t installed Windows 8.1 Update, be sure to do so soon!

    http://blogs.windows.com/windows/b/windowsexperience/archive/2014/05/12/windows-8-1-update-requirement-extended.aspx

  7. The Electronic Frontier Foundation (EFF) recently released its 4th annual report that rates technology companies on their efforts to protect customer data from the government. Microsoft scored a perfect 6/6 in the areas measured by the EFF. The evaluation criteria assess company practices and policies in the following areas: Requiring a warrant for content of communications, informing users about government data requests, publishing transparency reports, publishing law enforcement guidelines, fighting for users’ privacy rights in courts, and publicly opposing mass surveillance.

    https://www.eff.org/who-has-your-back-government-data-requests-2014

WindowSecurity.com Articles of Interest

  1. How to Achieve an Effective Patch Management System
  2. Web Browser Security Revisited – Part 7
  3. Symantec Endpoint Protection Voted WindowSecurity.com Readers’ Choice Award Winner – Antivirus
  4. Securing and Auditing Windows Active Directory – Part 1
  5. Securing your Lync Server – Part 1
  6. Effectively Securing Windows 8.x – 10 Things You Need to Know

Windows Security Tip of the Month

After reading the Verizon 2014 Data Breach Investigations Report and the Microsoft Security Intelligence Report Volume 16, it should be clear that attackers are using similar patterns and common attack vectors when mounting attacks. It stands to reason that focusing on defending against these real-world attacks and mitigating common vulnerabilities would yield the most value. Focusing on implementing controls that have been demonstrated to be effective is essential. The SANS Institute Top 20 Critical Security Controls is an excellent starting point. This is a list of controls that has proven to have the greatest impact on improving security posture and preventing or resisting attack. It prioritizes security functions and outlines controls that are derived from common attack patterns such as those included in the DBIR and SIR. Implementing these controls can provide important resistance to targeted attacks by determined adversaries. To learn more about the SANS Top 20 Critical Security Controls, click here.